The media seems to love nothing more than putting the boot in to public sector organisations over security. Unfortunately, sometimes, their criticisms are all too justified. Perfect security appears to come with a heavy price tag in terms of everyday usability: if a system is secure, staff find it hard to use. Is there a way to remove this unpleasant trade-off?
Kim Thomas finds out…
The sort of bad news the media just loves…
Top ^
Two CD-ROMs containing the details of 25 million taxpayers go missing. A memory stick containing the details of 130,000 criminals is lost. A laptop holding sensitive government data is sold on eBay. It seems that barely a week goes by without reports of a government agency mislaying some sensitive data. Public confidence in the security of their personal data has been badly shaken.
It is small consolation that the public sector is probably no worse in this regard than the private sector, which generally finds it easier to keep its data losses out of the public eye. All organisations are bound by legal obligations under the Data Protection Act to keep data held on individuals private. The question is: how?
Locked vault or stable door?
Top ^
It’s a tough challenge, and getting tougher, because of the ease with which data can be moved around. Richard Edwards, information management practice director at Butler Group, the analyst firm, points out that network security is “very tightly controlled” in most organisations. The problem is that as soon as data moves onto other media, such as an email or a memory stick, that control is lost: “We’re in a situation where any email can be sent out with a spreadsheet that has important data on it, and once that goes out of the organisation it’s at the mercy of whoever receives it. Likewise, if a user puts some data onto a memory stick, this can mean that the protection of that asset no longer exists.”
But for any organisation to operate effectively, data has to leave the organisation. Employees increasingly tend to work from home or at partner sites, and carry laptops with them. Most organisations now work with suppliers and contractors who will sometimes need access to electronic information.
While one solution is to impose stringent controls on all data leaving the organisation, this can result in frustrated staff attempting to find ways around the controls. Disabling USB ports, for example, to stop data being copied onto a memory stick, can simply lead to users emailing files to themselves. And organisations can be reluctant to implement some security technologies, says Edwards, because of the perceived burden on the IT function: “A significant proportion of calls to the help desk are related to password resets and security issues of one kind or another.”
An example of the security challenge: NOMS
Top ^
The National Offenders Management Service (NOMS), a government agency that helps criminals avoid reoffending, faced exactly this dilemma. The organisation holds highly sensitive information on offenders, which needs to be carefully safeguarded. At the same time, many of its staff need to work off site, meeting offenders and voluntary agencies. The two requirements clashed.
When staff wanted to access the office network after an offsite meeting, they had to travel to a regional office to access the network securely, which had an adverse effect on productivity. Their job was made more difficult when, in response to public concern about security, the government put a ban on removing laptops from the workplace unless the data was encrypted to an approved standard. Users started to avoid working remotely, resulting in increased costs of managing office space and a decline in quality of service.
How to assess security risk – before the worst happens
Top ^
So how can public sector organisations find a way of balancing the need to secure information with the need to maintain productivity? Dan Pilling, Marketing Programmes Manager at Microsoft, says the first step is to carry out a risk assessment: “You need to break up individuals in organisations into roles, and based on those roles, work out whether they need to have that information, whether information needs to travel or whether it must stay within the organisation. You need to understand what are the risks are, and who potentially has the information you wouldn’t want to leave the organisation. If people do need to travel with data, then appropriate steps need to be taken.”
Those steps include putting in place policies and controls to minimise the key risks. Edwards recommends basing controls on those set out in the ISO standards 27002:2005, though it can be necessary, he adds, to “design new controls to meet specific organisational needs.” Good practice, he says, includes:
- creating an information security policy document
- allocating information security responsibilities
- training staff in the necessary information security practices (including common sense)
- …and developing a process to deal with security breaches.
Microsoft security solutions: designed for the real world
Top ^
Controls will need to be supported by the appropriate technical measures. As NOMS found, this doesn’t necessarily entail the purchase of costly new technology, because security solutions are already embedded in existing Microsoft software. The organisation hired Microsoft Gold Certified Partner Transputec Computers to implement three technologies to provide staff with secure remote access: data encryption on portable computers using the Windows Vista Enterprise operating system; a virtual private network (VPN) based on Microsoft Exchange Server 2003, which gave users a secure remote connection to the office server; and a collaborative solution based on the Microsoft Office SharePoint Server 2003 (later upgraded to SharePoint Server 2007) document management system.
With Vista installed on their laptops, offender managers are able to use the BitLocker feature to encrypt the entire operating system. No-one can now gain access to a laptop without a designated USB key and password. With their laptops safely encrypted, and a VPN installed, managers can now connect to the office server from wherever they are, without having to travel to a regional office.
The addition of Sharepoint has been a useful way of distributing up-to-date information among users: one documents repository holds restricted information, and is only accessible using a VPN password; the other holds non-restricted data available to external agencies. The organisation believes that the ease with which users and partners can access essential information means that staff will spend on average one less hour a week looking for information, and will need to attend one less meeting a week, representing a saving of more than £2000 per user a year.
Despite concerns that implementing strong security measures can lead to user frustration and decreased productivity, the opposite has proved true for NOMS. By putting in place the security features offered by Vista, Exchange and Sharepoint, NOMS has achieved increased productivity, a greater flexibility for staff and an improved ability to collaborate.
- The need to share data outside the organisation makes it increasingly hard to protect information securely
- Many organisations are concerned that implementing stringent security measures can hinder productivity
- Any strategy to improve security must begin with a risk assessment to identify the data that needs to be safeguarded
- Deploying the security features of Microsoft technologies such as Vista provide an easy way to improve security while providing greater flexibility and productivity
You need to understand what are the risks are, and who potentially has the information you wouldn’t want to leave the organisation.
Dan Pilling
Microsoft
Any email can be sent out with a spreadsheet that has some important data on it, and once that goes out of the organisation it’s at the mercy of whoever receives it.
Richard Edwards
Butler Group
Kim Thomas is a freelance journalist, who specialises in writing about technology, business and education. Her clients include the Financial Times, the Economist Intelligence Unit and The Guardian as well as a number of B2B publications.